Key Concepts from the EU's Code of Conduct on Agricultural Data Sharing

Our administrator, Todd Janzen, recently published an article discussing the EU's Code of Conduct for Agricultural Data Sharing, and how this document compares to North America's Privacy and Security Principles for Farm Data (also know as the ag data's "Core Principles").

The European Union’s (EU) General Data Protection Regulation (GDPR) encourages industry segments to develop guidelines for data processing and sharing. A number of farm organizations have come together to develop a set of guidelines for sharing agricultural data. The result is the EU Code of Conduct on Agricultural Data Sharing by Contractual Agreement (EU Ag Data Code). This post looks at some of the key concepts identified by the EU Ag Data Code.

Data Originator Concept. I have used a lot of ink writing about data “ownership.” The EU Ag Data Code favors the concept of a data “originator” instead. The Code states that, as a basic principle, data produced by the farm operator, or commissioned by the operator, is considered property of the data originator. The data originator should decide how that data is used or shared downstream.

Rights of the Data Originator. The Code recognizes the data originator as the person with the initial rights in the data. This includes the right to benefit or be compensated for use of data they originated. The Code also states that, unless otherwise agreed in contract, only the data originator may authorize transfer of data. Transfer must occur only after the data originator grants their “explicit, express and informed consent.”

The Need for Simple and Understandable Contracts. The Code states that contracts for ag data should clearly specify: (1) important terms and definitions; (2) the purpose of collecting, sharing, and processing data; (3) rights and obligations of parties related to data; (4) information related to storage and use of ag data; (5) verification mechanisms for the data originator; and (6) transparent mechanisms for adding new uses.

Encouraging Pseudonymization. The EU Ag Data Code contains the concept of “pseudonymization,” which is a procedure for replacing certain fields in data with artificial identifiers, or pseudonyms. The purpose of pseudonymization is to render data less identifiable and therefore lower the risks that it inadvertently shares personal information. This is different than anonymization, which irreversibly strips information so that it can no longer be identified with the originator. The Code states that data processor should use pseudonymization unless the parties agree on the terms by which the data originator can be identified.

Reducing Unfair Amendments to Contracts. Tech companies are constantly changing their online agreements and then simply informing their users, “by continuing to use this program, you agree to our new terms.” Most people would shocked if this happened in other types of contracts. Imagine a car lease that changes terms if you continue to use your car. But the tech industry has managed to get away with one-sided amendments for years. The Code tries to limit this behavior by stating, “contracts must not be amended without the prior consent of the data originator.”

Protecting a Natural Person’s Privacy. If companies use ag data “to make decisions about the data originator ‘as a natural person,’” then the GDPR protections for personal privacy rights apply. This is another way of saying, if you use my data to try to sell me stuff from third parties, the GDPR will apply.

Many of these concepts are similar to the widely adopted United States’ Ag Data Core Principles, but some are new. Like the Core Principles, the EU Ag Data Code is non-binding. Nevertheless, I commend the companies and organizations that worked to draft this EU Code of Conduct. I know from experience that this type of project is hard work.